| 1 |
Hi! |
| 2 |
|
| 3 |
On Mon, Sep 29, 2008 at 06:46:18PM +0200, pageexec@××××××××.hu wrote: |
| 4 |
> maybe it's because of what you said: |
| 5 |
> > I've no idea why grsec complain in logs about it. |
| 6 |
> at this point it's clear that you didn't quite read the description of |
| 7 |
> GRKERNSEC_RESLOG which is what you've apparently enabled. in short, grsec |
| 8 |
> is doing what you asked it to do: log various resource overstep events. |
| 9 |
|
| 10 |
Not really. :) I know I enabled this item, and I understand what it does. |
| 11 |
The question is exactly "what's wrong with qmail-smtpd, why it hit |
| 12 |
resource limits?". |
| 13 |
|
| 14 |
> why those events occured is another question and each case needs its own |
| 15 |
> investigation. for example overstepping the default 8MB stack limit by |
| 16 |
> 180MB sounds like a memory corruption problem or something trying to pass |
| 17 |
> an inordinate amount of data on the stack (say, in the environment). |
| 18 |
> whether that was because of e.g., a bug in a script on your server or an |
| 19 |
> exploit attempt is hard to tell after the fact. also the AS limit overstep |
| 20 |
> is a known issue, qmail tries to be smart and fails to estimate its own |
| 21 |
> memory needs. |
| 22 |
|
| 23 |
Now I've smaller example. I've executed this command 10 times: |
| 24 |
perl -e 'exec "/bin/pwd"' |
| 25 |
and got 5 records in logs, listed below. |
| 26 |
Executing just: |
| 27 |
/bin/pwd |
| 28 |
or |
| 29 |
bash -c 'exec /bin/pwd' |
| 30 |
many times doesn't result in grsec alerts. |
| 31 |
If you wanna say "it's because of perl", I'd like to remind you - there |
| 32 |
was no perl scripts between tcpserver and qmail-smtpd before, the command |
| 33 |
looks this way: |
| 34 |
/usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb \ |
| 35 |
-c 40 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd |
| 36 |
|
| 37 |
Didn't you think it's good idea to trace this issue? It may be a bug in |
| 38 |
grsec... anyway, usual hardened system shouldn't produce such a warnings |
| 39 |
in logs just because somebody call exec() from perl script or use qmail. |
| 40 |
|
| 41 |
2008-09-29_16:49:11.85806 kern.alert: grsec: denied resource overstep by requesting 110424064 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18143] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
| 42 |
2008-09-29_16:49:17.16897 kern.alert: grsec: denied resource overstep by requesting 124620800 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18250] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
| 43 |
2008-09-29_16:49:19.20874 kern.alert: grsec: denied resource overstep by requesting 137330688 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18300] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
| 44 |
2008-09-29_16:49:21.16078 kern.alert: grsec: denied resource overstep by requesting 187035648 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18345] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
| 45 |
2008-09-29_16:49:23.64000 kern.alert: grsec: denied resource overstep by requesting 146747392 for RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18398] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:28139] uid/euid:1000/1000 gid/egid:100/100 |
| 46 |
|
| 47 |
-- |
| 48 |
WBR, Alex. |
Archives